CVE-2025-1391 — Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organ

Description

This vulnerability is caused by the improper mapping of users to organizations based solely on email/username patterns. The issue is limited to the token claim level, meaning the user is not truly added to the organization but may appear as such in applications relying on these claims. The risk increases in scenarios where self-registration is enabled and unrestricted, allowing an attacker to exploit the naming pattern. The issue is mitigated if admins restrict registration or use strict validation mechanisms.

How to fix CVE-2025-1391

To remediate CVE-2025-1391, upgrade the affected package to a fixed version below.

—upgrade to 26.1.3 or later

Is CVE-2025-1391 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 26.1.0, < 26.1.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-1391
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2025:2545
WEBaccess.redhat.com/security/cve/CVE-2025-1391
WEBbugzilla.redhat.com